Set up SFTP users in Linux-based systems
This article shows you how to create secured SSH File Transfer Protocol (SFTP) users that are restricted or jailed to their home directories.
WARNING: Do not try to jail the root user. Only jail additional users so that you don’t prevent the root user from performing operations correctly.
Before you begin, review the following best practices:
The home directory of the SFTP user must be owned by
root:root. Other directories can (and should) be owned (and writable) by the user.
It’s important to ensure the chroot user has write access to the specified DocumentRoot.
It’s important to log in and test that the SFTP user is working correctly.
It’s important to ensure that the SFTP user added is added to the SFTP group.
These instructions are for adding a single domain (SFTP user), but you could potentially use them to manage multiple domains.
Important: The steps in this article do not work with RHEL® 7 or CentOS® 7. As with any proper chroot operation, this configuration does not provide write access to the chroot directory. Only subdirectories of the chroot jail are writable. This is due to the way that root permissions are interpreted at the higher-level directories in which the SFTP user is contained.
Use the following steps to create secured SFTP users that are jailed to their home directories:
Add the SFTP group that you want to use for SFTP access by running the following command:
Add the SFTP user by running the following command, replacing
myuserwith the username:
useradd -d /var/www/vhosts/domain.com -s /bin/false -G sftponly myuser
Create a password for the user by running the following command, replacing
myuserwith the username:
sshd_configfile that holds the SSH and SFTP configuration by running the following command:
Comment out the following line by adding a hash symbol (#) at the beginning, as shown in the following example:
#Subsystem sftp /usr/lib/openssh/sftp-server
Add the following line directly below the line that you just commented out:
Subsystem sftp internal-sftp
Add the following code to the bottom of the file:
Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp
sshdcommand to test the changes, then restart the service.
Important: If this step is performed incorrectly, it might break your SSHD configuration.
sshd -t service sshd restart
Ensure that the file permissions on the file system are correct
Next, you need to verify that the file permissions on the file system are correct so that the SFTP jail works correctly.
Verify that the
SFTPROOTdirectory (the home directory that you set when you added the SSH user) has the right
user:root group:rootpermissions by running the following command:
chown root:root /var/www/vhosts/mywebsite.com/
To verify that the SFTP login works, connect to SFTP by running the following command, replacing
myuserwith the user that you have chosen, as shown in the following example:
sftp myuser@localhost myuser@localhost's password: Connected to localhost.
Test the directory listing by running the following command:
sftp> ls -al
The output should be similar to the following example:
drwxr-xr-x 3 0 0 4096 Sep 28 08:09 . drwxr-xr-x 3 0 0 4096 Sep 28 08:09 .. drwxr-xr-x 2 5001 33 4096 Sep 28 08:52 html -rw-r--r-- 1 0 0 0 Sep 28 08:09 test.php
Note: Use the
cdcommand to go to the HTML directory (which is located at
/var/www/vhosts/mywebsite.com/htmlbecause the website ‘documentroot’ is one level below the SSH SFTP user’s
rootdirectory. You should use this setup because your
www-datausers (the web server’s users) have root
user:grouppermissions on its files.
Test the ability to upload files by running the following commands:
sftp> cd html sftp> put test.php Uploading test.php to /html/test.php test.php 100% 12K 20.0KB/s 00:00
Test the ability to download files by running the following command:
sftp> get test.php Fetching /test.php to test.php
Display the present working directory by running the following command:
sftp> pwd Remote working directory: /html
SFTP only sees the files in the
/var/www/vhosts/mywebsite.com/directory, and considers this directory the highest-level, root (‘/’) directory.
Use the following steps to connect to SFTP and set up your SFTP client:
- Install Cyberduck®.
- Open the Cyberduck application.
- At the top of the window, click the icon for Open Connection.
- In the drop-down menu, select SFTP (SSH File Transfer Protocol).
- In the Server field, enter the Internet Protocol (IP) address for the server.
- Enter the username and password that you use to connect to SFTP.
- Click Connect.
Important: Always test your website after you change file permissions.
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License